Shorewall 3.2.6 Setup: Shorewall system with two interfaces, loc and net, pretty standard. Port 80 from the net is DNAT''d to a web server on the LAN, works fine. Customer accesses the web server externally via IP address rather than DNS name (I know, I know). Wants to know if he can access it from the LAN using the same IP as he does externally. I set up a DNAT rule to send externalIP:80 requests from the LAN to the web server on the LAN, but this fails (routeback is enabled). I suspect this is because the web server sees that the source address is on the LAN and thus it can reply directly; the user''s PC sees the web response from a different IP to the one it sent it to and so ignores it. I can see the packets on the firewall from the user''s PC being redirected to the webserver, but I see no replies, which supports the ''webserver replies directly'' theory. Direct access to the web server via its real (LAN) IP works. It almost seems that I want to NAT addresses from the LAN to the webserver on the LAN. Can that be done? Is there a better way? Thanks, Keith ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Keith Edmunds wrote:> Shorewall 3.2.6 > > Setup: Shorewall system with two interfaces, loc and net, pretty standard. > Port 80 from the net is DNAT''d to a web server on the LAN, works fine. > > Customer accesses the web server externally via IP address rather than DNS > name (I know, I know). Wants to know if he can access it from the LAN > using the same IP as he does externally. I set up a DNAT rule to send > externalIP:80 requests from the LAN to the web server on the LAN, but this > fails (routeback is enabled). I suspect this is because the web server sees > that the source address is on the LAN and thus it can reply directly; the > user''s PC sees the web response from a different IP to the one it sent it > to and so ignores it. I can see the packets on the firewall from the > user''s PC being redirected to the webserver, but I see no replies, which > supports the ''webserver replies directly'' theory. Direct access to the web > server via its real (LAN) IP works. > > It almost seems that I want to NAT addresses from the LAN to the webserver > on the LAN. Can that be done? Is there a better way? >This is Shorewall FAQ 2. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/